From 1a71616e0a9e83581dc93cf5361b8b45b2093a4f Mon Sep 17 00:00:00 2001
From: Ashish Kurmi <akurmi@stepsecurity.io>
Date: Wed, 7 Sep 2022 22:19:28 -0700
Subject: [PATCH] ci: add minimum GitHub token permissions for workflows

Signed-off-by: Ashish Kurmi <akurmi@stepsecurity.io>
---
 .github/workflows/auto-close-stale-issues.yml | 6 ++++++
 .github/workflows/issues.yml                  | 6 ++++++
 2 files changed, 12 insertions(+)

diff --git a/.github/workflows/auto-close-stale-issues.yml b/.github/workflows/auto-close-stale-issues.yml
index 00365ce39..545583fd6 100644
--- a/.github/workflows/auto-close-stale-issues.yml
+++ b/.github/workflows/auto-close-stale-issues.yml
@@ -4,8 +4,14 @@ on:
   schedule:
     - cron: '0 0 * * *'
 
+permissions:
+  contents: read
+
 jobs:
   stale-bot:
+    permissions:
+      issues: write  # for actions/stale to close stale issues
+      pull-requests: write  # for actions/stale to close stale PRs
     runs-on: ubuntu-latest
     steps:
       - uses: actions/stale@v5.1.1
diff --git a/.github/workflows/issues.yml b/.github/workflows/issues.yml
index 6dec15ea0..47bf6ebbe 100644
--- a/.github/workflows/issues.yml
+++ b/.github/workflows/issues.yml
@@ -2,8 +2,14 @@ name: Milestone Labeler
 on:
   issues:
     types: [milestoned]
+permissions:
+  contents: read
+
 jobs:
   apply_labels:
+    permissions:
+      issues: write  # for andymckay/labeler to label issues
+      pull-requests: write  # for andymckay/labeler to label PRs
     runs-on: ubuntu-latest
     steps:
       - name: Add track-internal